Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 26 Aug 2004 09:45:42 +0400
From: Solar Designer <solar@...nwall.com>
To: popa3d-users@...ts.openwall.com
Subject: Re: popa3d problem with more than 8 character passwords.

On Wed, Aug 25, 2004 at 01:29:20PM -0300, Lucas Brasilino wrote:
> 	I really don't know if it's a bug but I've
> installed popa3d 0.6.4.1 with PAM support (AUTH_PAM)
> and it's authenticating two passwords if they are
> equal up to 8th character. For example:
> 
> Real password: 1234567890
> 
> 12345678 is authenticated.
> 12345678itsafeature? is authenticated...
> and so on.

This has nothing to do with popa3d specifically.  Your system uses the
obsolete DES-based password hashes which have this limitation.

> I'm using RH7.2, PAM 0.74, GLIBC 2.2.2, OpenSSL 0.9.6g

So you need to configure your RH 7.2 to use the somewhat less obsolete
MD5-based hashes by editing /etc/pam.d/system-auth and adding the
option "md5" to the end of the "password" line.  Of course, this will
only affect newly changed passwords.

<plug>
You may also want to replace your RH 7.2 which reached end-of-life.
If you migrate to Openwall GNU/*/Linux (Owl), you will also get
non-obsolete password hashes supported out-of-the-box:

http://www.openwall.com/Owl/
http://www.openwall.com/crypt/
</plug>

-- 
Alexander Peslyak <solar at openwall.com>
GPG key ID: B35D3598  fp: 6429 0D7E F130 C13E C929  6447 73C3 A290 B35D 3598
http://www.openwall.com - bringing security into open computing environments

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.